Lucene search

NextcloudGHSA-MJF5-P765-QMR6

HistoryJun 22, 2023 - 6:17 a.m.

Password reset endpoint is not brute force protected

2023-06-2206:17:09

github.com

nextcloud

brute force

upgrade

vulnerability

nextcloud server

nextcloud enterprise server

hackerone

pullrequest

security advisory

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

50.1%

JSON

Description

Impact

An attacker can bruteforce the password reset links.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2
It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 or 26.0.2

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at portal.nextcloud.com

References

github.com/nextcloud/server/pull/38267

hackerone.com/reports/1987062

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

50.1%

JSON

Related for GHSA-MJF5-P765-QMR6